Thieves Make off With $58,000 from Troubled Newdex Cryptocurrency Exchange

Over the past couple of weeks, there has been a slew of headlines announcing the latest "hack" of a cryptocurrency exchange. This time the victimized exchange was Newdex, which is a controversial entity in and of itself. This time the thieves (a much more accurate term than “hackers”) stole some $58,000 in cryptocurrency by exploiting a vulnerability in the Newdex architecture. They bombarded the exchange with fake EOS tokens and, as Newdex later acknowledged, used them to purchase ADD, BLACK and IQ tokens. In all, there were nearly 12,000 purchase orders executed with the fake EOS tokens, all stemming from a single account.

All Apologies

Once the thieves had purchased the ADD, BLACK and IQ tokens they then used them to purchase real EOS tokens. They then took those real EOS tokens and made for the hills; transferring them to Bitfinex. In all Newdex users were saddled with a loss of approximately $58,000 in the valuations of the day. Newdex security was late in recognizing the charade and didn't shut down the service until the thieves had taken their ill-gotten gains and left. According to exchange managers, repairs were made to the system to prevent a recurrence, and normal operations were resumed about an hour later. Perhaps most curiously Newdex, after apologizing, announced they had no plans to compensate for the losses even though they occurred as a direct result of the system’s technical shortcomings.

The Problem with Newdex

Even though Newdex uses “dex” in their name, openly implying they are a decentralized exchange, they are not. A fact that has led to accusations of fraud from some in the crypto-verse. To buttress the illusion that they are a decentralized exchange Newdex uses Scatter for login and interface purposes. But it’s only a ruse as smart contracts are not part of their MO like they should be with any true decentralized cryptocurrency exchange today. Instead, orders are processed using a single account reserved for the exchange and matched using an off-chain centralized server. In response to criticisms leveled at it in the wake of the recent theft Newdex, instead of admitting their own deficiencies, laid the problem at the feet of the EOS network.

Small Potatoes

In the overall scheme of things, and in light of losses incurred by some other cryptocurrency exchanges, the $58,000 in losses incurred by Newdex customers seems like pretty small potatoes (and as we’ll see in a minute, it is). The thing that makes the story newsworthy is that Newdex has been marketing itself as a totally decentralized exchange when it seems clear to anyone with a passing knowledge of how these things work that they are not. The whole fiasco also serves to embolden the regulatory crowd which frustrates crypto-purists to no end.

Putting Things in Perspective

While $58,000 is no doubt a significant loss for those victimized by the Newdex theft, it's not in the same league with the most significant cryptocurrency thefts of the past few years. Here are several of those to provide some perspective:

​NiceHash - In December 2017 mining marketplace NiceHash acknowledged they had been the victim of a sophisticated theft involving an employee’s computer. That computer was targeted by outside entities, compromised and used as a platform to gain entry to the service. The attackers pilfered a total of 4,736 Bitcoins from NiceHash customer wallets and transferred them to a single wallet address, beyond the reach of cybersecurity experts and law enforcement. The total value of the theft was nearly $63 million, using valuations at the time of the event. As of this writing, it seems the thieves are either content to simply sit on th​​​​eir spoils, or they have yet to fashion a foolproof way to unload their take, since the Bitcoins in question are still being held in that single known-but-inaccessible wallet.

​Mt. Gox - Mt. Gox was a Bitcoin exchange that was launched in 2010. Just three years later it was handling more than 70% of global Bitcoin transactions. It was considered a shining success story and proof of the viability of the Bitcoin model and of Bitcoin itself as a commodity. In 2014 however, it was revealed that thieves had been raiding the Mt. Gox exchange almost since its inception without being detected and had made off with more than 850,000 Bitcoins. Valuations at the time of the theft put losses at $460 million (more than $5.6 billion at today’s valuations). It turns out the theft was made possible by shoddy coding practices at the exchange. So shoddy in fact that coders working on the same file could actually override each other’s changes without being aware of it. And to top things off all changes to the Mt. Gox code, even urgent security changes, had to be personally approved by the company’s CEO. After Mt. Gox management revealed the theft, the exchange was shut down and its website closed. Bankruptcy proceedings were initiated almost immediately and two months after shutting down the company began to liquidate assets.

​Coincheck - The largest theft in terms of time-of-theft valuations was the Coincheck theft where cybercriminals were able to steal more than 500 million XEM coins valued at the time at more than $534 million. The thieves were able to access what’s called a hot wallet (a wallet connected to the Internet) and siphon its contents off into their own wallet. The company was roundly criticized for keeping the coins in such a vulnerable wallet when far more secure options were available. The Coincheck theft differed from the Mt. Gox theft in one notable way: whereas the value of the Bitcoins lifted in the Mt. Gox theft has increased more than 11-fold, the value of the XEM coins stolen from Coincheck has decreased by some 90% to approximately 9 cents per coin. Nonetheless, Coincheck has stated its intention to compensate customers for their losses at a rate of 83 cents per coin. Though no one is completely sure how they're going to do that.